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Abstract 

We  present  the  framework  of  ^-complete  analysis  for  bounded  reachability  problems  of  general 
hybrid  systems.  We  perform  bounded  reachability  checking  through  solving  5-decision  problems 
over  the  reals.  The  techniques  take  into  account  of  robustness  properties  of  the  systems  under 
numerical  perturbations.  We  prove  that  the  verification  problems  become  much  more  mathemati¬ 
cally  tractable  in  this  new  framework.  Our  implementation  of  the  techniques,  an  open-source  tool 
d Reach,  scales  well  on  several  highly  nonlinear  hybrid  system  models  that  arise  in  biomedical 
and  robotics  applications. 
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1  Introduction 


Formal  verification  is  difficult  for  hybrid  systems  with  nonlinear  dynamics  and  complex  discrete 
controls  [2,19].  A  major  difficulty  of  applying  advanced  verification  techniques  in  this  domain 
comes  from  the  need  of  solving  logic  formulas  over  the  real  numbers  with  nonlinear  functions, 
which  is  notoriously  hard.  Recently,  we  have  defined  the  5 -decision  problem  that  is  much  easier  to 
solve  [13,12].  Given  an  arbitrary  positive  rational  number  5,  the  5-decision  problem  asks  if  a  logic 
formula  is  false  or  5 -true  (or,  dually,  true  or  6 -false).  The  latter  answer  can  be  given,  if  the  for¬ 
mula  would  be  true  under  5 -bounded  numerical  changes  on  its  syntactic  form  [13].  The  5-decision 
problem  is  decidable  for  bounded  first-order  sentences  over  the  real  numbers  with  arbitrary  Type  2 
computable  functions.  Type  2  computable  functions  [26]  are  essentially  real  functions  that  can  be 
approximated  numerically.  They  cover  almost  all  functions  that  can  occur  in  realistic  hybrid  sys¬ 
tems,  such  as  polynomials,  trigonometric  functions,  and  solutions  of  Lipschitz-continuous  ODEs. 
The  goal  of  this  paper  is  to  develop  a  new  framework  for  solving  bounded  reachability  problems 
for  hybrid  systems  based  on  solving  5-decisions.  We  prove  that  this  framework  makes  bounded 
reachability  of  hybrid  systems  a  much  more  mathematically  tractable  problem  and  show  that  our 
practical  implementation  can  handle  highly  nonlinear  hybrid  systems. 

The  framework  of  5 -complete  analysis  consists  of  techniques  that  perform  verification  and 
allow  bounded  errors  on  the  safe  side.  For  bounded  reachability  problems,  5-complete  analysis 
aims  to  find  one  of  the  following  answers: 

-  safe  (bounded):  The  system  does  not  violate  the  safety  property  within  a  bounded  period  of 
time  and  a  bounded  number  of  discrete  mode  changes. 

-  5-unsafe:  The  system  would  violate  the  safety  property  under  some  5-bounded  numerical  per¬ 
turbations. 

Thus,  when  the  answer  is  safe,  no  error  is  involved.  On  the  other  hand,  a  system  that  is  5-unsafe 
would  violate  the  safety  property  under  bounded  numerical  perturbations.  Realistic  hybrid  systems 
interact  with  the  physical  world  and  it  is  impossible  to  avoid  slight  perturbations.  Thus,  5-unsafe 
systems  should  indeed  be  regarded  as  unsafe,  under  reasonable  choices  of  5.  Note  that  such  ro¬ 
bustness  problems  can  not  be  discovered  by  solving  the  precise  decision  problem,  and  the  use  of 
5-decisions  strengthens  the  verification  results. 

5-Complete  reachability  analysis  reduces  verification  problems  to  5-decision  problems  of  for¬ 
mulas  over  the  reals.  It  follows  from  5-decidability  of  these  formulas  [13]  that  5-complete  reacha¬ 
bility  analysis  of  a  wide  range  of  nonlinear  hybrid  systems  is  decidable.  Such  results  stand  in  sharp 
contrast  to  the  standard  high  undecidability  of  bounded  reachability  for  simple  hybrid  systems. 

We  emphasize  that  the  new  framework  is  immediately  practical.  We  implemented  the  tech¬ 
niques  in  our  open-source  tool  dReach  based  on  our  nonlinear  SMT  solver  dReal  [14].  In  our 
previous  work,  we  have  shown  the  underlying  solver  scales  on  nonlinear  systems  [15].  The  tool 
successfully  verified  safety  properties  of  various  nonlinear  models  that  are  beyond  the  scope  of 
existing  tools. 

The  paper  is  organized  as  follows.  After  a  short  review  of  5-decidability,  we  show  how  to 
represent  hybrid  systems  with  formulas  and  how  to  interpret  trajectories  through  semantics 
of  the  formulas  in  Section  2.  Then  we  focus  on  bounded  reachability  and  show  the  encoding  in 
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£R;c.  in  Section  3.  In  Section  4,  we  show  experimental  results  of  our  open-source  implementation 
on  highly  nonlinear  hybrid  systems,  and  discuss  the  comparison  with  reachable  set  computation 
techniques  in  Section  5  and  conclude  in  Section  6. 

Related  Work.  Our  framework  can  be  seen  as  a  converging  point  for  several  lines  of  existing  work. 
First  of  all,  the  use  of  logic  formulas  to  express  model  checking  of  hybrid  systems  dates  back 
to  [3,5],  where  formulas  with  linear  arithmetic  over  the  reals  are  used.  The  lack  of  an  appropriate 
logic  for  encoding  nonlinear  systems  beyond  real  arithmetic  has  been  a  major  bottleneck  in  this 
direction.  Second,  the  realization  that  robustness  assumptions  help  reduce  verification  complexity 
as  been  realized  frequently.  Franzle’s  work  [10]  was  among  the  first  to  recognize  that  verifica¬ 
tion  problems  are  more  tractable  when  robustness  is  assumed  for  polynomial  hybrid  systems.  The 
direction  was  continued  with  more  positive  results  such  as  [25].  These  works  present  theoretical 
results  that  do  not  directly  translate  to  practical  solving  techniques,  and  the  results  are  sensitive 
to  the  definitions.  For  instance,  it  is  also  shown  in  [20]  that  a  slightly  different  notion  of  robust¬ 
ness  and  noise  does  not  improve  the  theoretical  properties.  We  focus  on  formulating  a  framework 
that  directly  corresponds  to  practical  solving  techniques,  and  the  positive  theoretical  results  fol¬ 
low  naturally  at  the  same  time.  There  has  also  been  much  recent  work  on  using  constraint  solving 
techniques  for  solving  hybrid  systems  [11,21,18,7],  as  well  as  solving  frameworks  that  exploit  ro¬ 
bustness  properties  of  the  systems  [24,22].  These  methods  can  all  handle  nonlinear  dynamics  to 
certain  degrees  (mostly  polynomial  systems,  with  the  exception  of  [7]  which  we  will  mention  again 
in  the  experiments).  We  aim  to  extend  these  works  to  a  most  broad  class  of  nonlinear  hybrid  sys¬ 
tems,  and  provide  precise  correctness  guarantees.  We  also  provide  an  open-source  implementation 
that  scales  well  on  highly  nonlinear  systems  that  arise  in  practical  applications. 


2  -Representations  of  Hybrid  Automata 

2.1  £5^ -Formulas  and  ^-Decidability 

We  will  use  a  logical  language  over  the  real  numbers  that  allows  arbitrary  computable  real  func¬ 
tions  [26].  We  write  £Kjr  to  represent  this  language.  Intuitively,  a  real  function  is  computable  if 
it  can  be  numerically  simulated  up  to  an  arbitrary  precision.  For  the  purpose  of  this  paper,  it  suf¬ 
fices  to  know  that  almost  all  the  functions  that  are  needed  in  describing  hybrid  systems  are  Type  2 
computable,  such  as  polynomials,  exponentiation,  logarithm,  trigonometric  functions,  and  solution 
functions  of  Lipschitz-continuous  ordinary  differential  equations. 

More  formally,  =  (IF,  >)  represents  the  first-order  signature  over  the  reals  with  the  set 
F  of  computable  real  functions,  which  contains  all  the  functions  mentioned  above.  Note  that  con¬ 
stants  are  included  as  0-ary  functions,  -formulas  are  evaluated  in  the  standard  way  over  the 
structure  Mj-  =  (M,  F,  >R).  It  is  not  hard  to  see  that  we  can  put  any  -formula  in  a  normal 
form,  such  that  its  atomic  formulas  are  of  the  form  t(x i, ... ,  xn )  >  0  or  t(x i, ... ,xn )  >  0,  with 
t(x i, ....  xn)  composed  of  functions  in  F .  To  avoid  extra  preprocessing  of  formulas,  we  can  explic¬ 
itly  define  £j--formulas  as  follows. 
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Definition  1  (/^-Formulas).  Let  IF  be  a  collection  of  computable  real  functions.  We  define: 


t  x  |  f(t(x)),  where  f  E  IF  (constants  are  O-ary  functions); 
p  :=  t(x)  >  0  |  t(x )  >D\pFp\p\/ip\  3xiip  \  Wxip. 

In  this  setting  -> (p  is  regarded  as  an  inductively  defined  operation  which  replaces  atomic  formulas 
t  >  0  with  —t  >  0,  atomic  formulas  t  >  0  with  —t  >  0,  switches  A  and  V,  and  switches  V  and  3. 

Definition  2  (Bounded  /^-Sentences).  We  define  the  bounded  quantifiers  and  as 
3[n,'u] x.p  =df  3 x.(u  <  x  A  x  <  v  A  p)  and  x.p  =df  Vx.((m  <  x  A  x  <  v )  — >  ip)  where  u 
and  v  denote  terms,  whose  variables  only  contain  free  variables  in  p  excluding  x.  A  bounded 
sentence  is 

Q[i1,Vl]x i  •  •  •  Q[fn’Vn]xn  i/)(xi,  ...,xn), 

where  C)f"v'  are  bounded  quantifiers,  and  w(x\, ....  xn)  is  quantifier-free. 

Definition  3  (5- Variants).  Let  5  E  Q+  U  {0},  and  p  an  -formula 

p  :  Q[1x1  ■  ■  ■  Qrfxn  i/>[ti(x,y)  >  0;tj(x,y)  >  0], 

where  i  E  {1,  ...k}  and  j  E  {k  +  1,  ...,m}.  The  ^-weakening  ps  of  p  is  defined  as  the  result  of 
replacing  each  atom  U>  0  by  ti  >  —5  and  tj  >  0  by  tj  >  —5: 

p6  :  Qix i  •  ■  •  Qinxn  'fiffix,  y )  >  -5;  tj(x,  y)  >  -5}. 

It  is  clear  that  p  — >■  ps  (see  [13]). 

In  [13,12],  we  have  proved  that  the  following  5-decision  problem  is  decidable,  which  is  the  basis 
of  our  framework. 

Theorem  1  (5-Decidability).  Let  5  E  Q+  be  arbitrary.  There  is  an  algorithm  which,  given  any 
bounded  C-^F- sentence  p,  correctly  returns  one  of  the  following  two  answers: 

-  5-True:  ps  is  true. 

-  Fals  e:  pis  false. 

When  the  two  cases  overlap,  either  answer  is  correct. 

Theorem  2  (Complexity).  Let  S  be  a  class  of  C?F-sentences,  such  that  for  any  p  in  S,  the  terms 
in  p  are  in  Type  2  complexity  class  C.  Then,  for  any  5  G  Q+,  the  5-decision  problem  for  bounded 
Fn-sentences  in  S  is  in  (T^)c. 

2.2  -Representations  and  Hybrid  Trajectories 

We  first  show  that  -formulas  can  concisely  represent  hybrid  automata. 
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Definition  4  (/^-Representations  of  Hybrid  Automata).  A  hybrid  automaton  in  representation 

is  a  tuple 

H  =  ( X ,  Q,  {flow,(aj,  y.t)  :  q  E  Q},  (inv^cc)  :  q  G  Q}, 

(jump,_,5,(aj,  y)  :  q,  q'  G  Q},  {init,(*)  :  q  G  Q}) 

where  X  C  Mn/or  some  n  G  N ,  Q  —  {(p , ....  gm}  A  a  finite  set  of  modes,  and  the  other  components 
are  finite  sets  of  quantifier-free  C^- formulas. 

Notation  3  For  any  hybrid  system  H,  we  write  X (II),  flow  (7/),  etc.  to  denote  its  corresponding 
components. 

Almost  all  hybrid  systems  studied  in  the  existing  literature  can  be  defined  by  restricting  the  set  of 
functions  T  in  the  signature.  For  instance, 

Example  1  ( Linear  and  Polynomial  Hybrid  Automata).  Let  7'h"  =  {+}  U  Q  and  Jr|loly  =  {x}  U 
T]'n .  Rational  numbers  are  considered  as  0-ary  functions.  In  existing  literature,  H  is  a  linear  hy¬ 
brid  automaton  if  it  has  an  -representation,  and  a  polynomial  hybrid  automaton  if  it  has  an 
£R^poiy  -representation. 

Example  2  ( Nonlinear  Bouncing  Ball).  The  bouncing  ball  is  a  standard  hybrid  system  model.  Its 
nonlinear  version  (with  air  drag)  can  be  -represented  in  the  following  way: 

-  X  =  M2  and  0  =  {qu,  qd}.  We  use  qu  to  represent  bounce-back  mode  and  qd  the  falling  mode. 

-  flow  =  {)\o\n qu(xo,  Vo,  xt,  vt,t)  J\o\Nqd(xo,  Vo,  xt,  vt,t)} .  We  use  x  to  denote  the  height  of  the 
ball  and  v  its  velocity.  Instead  of  using  time  derivatives,  we  can  directly  write  the  flows  as 
integrals  over  time,  using  -formulas: 

•  flow9u(a;o,  Vo,  xt,  vt,  t )  defines  the  dynamics  in  the  bounce-back  phase: 

(xt  =  x0+  v(s)ds)  A  (vt  =  v0+  /  g(  1  -  /3v(s)2)ds ) 

Jo  Jo 

•  flow9d(a;o,  no,  xt,  vt ,  t)  defines  the  dynamics  in  the  falling  phase: 

(xt  =  xo  +  [  v(s)ds)  A  (vt  =  v0+  [  g{  1  +  /3v(s)2)ds) 

Jo  Jo 

where  is  a  constant.  Again,  note  that  the  integration  terms  define  Type  2  computable  func¬ 
tions. 

-  jump  =  {)umpqu^qd(x,v,x',v'),)umvqd_+qK(x,v,  x' ,v')}  where 

•  jump^  ^^x,  v ,  x' ,  v')  is  (v  =  0  A  x'  =  x  A  v'  =  v). 

•  ]umpqd^,gu(x,  v,  x' ,  v')  is  (x  =  0  A  v'  =  av  Ax'  =  x),  for  some  constant  a. 

-  initgd  is  (x  =  10  A  v  =  0)  and  init^  is  _L. 

-  inv9d  is  (x  >=  0  A  v  >=  0)  and  inv^  is  (x  >=  0  A  v  <=  0). 
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Trajectories  of  hybrid  systems  combine  continuous  flows  and  discrete  jumps.  This  motivates 
the  use  of  a  hybrid  time  domain,  with  which  we  can  keep  track  of  both  the  discrete  changes  and 
the  duration  of  each  continuous  flow.  A  hybrid  time  domain  is  a  sequence  of  closed  intervals  on 
the  real  line,  and  a  hybrid  trajectory  is  a  mapping  from  the  time  domain  to  the  Euclidean  space. 
Formally,  we  use  the  following  definition  given  by  Davoren  in  [9]: 

Definition  5  (Hybrid  Time  Domains  and  Hybrid  Trajectories  [9]).  A  hybrid  time  domain  is  a 

subset  of  N  x  M  of  the  form 

Tm  —  {(i,t)  :  i  <  m  and  t  G  [tj,  t[]  or  [fj,  +oo)}, 

where  rn  G  N  U  {+oo},  Z5  an  increasing  sequence  in  M+,  £0  =  0,  and  t[  =  ti+ \.  When 

X  C  M”  is  an  Euclidean  space  and  Tm  a  hybrid  time  domain,  a  hybrid  trajectory  is  a  continuous 
mapping  £  :  Trn  — *  X.  We  can  write  the  time  domain  Tm  of  £  as  T(£). 

We  can  now  define  trajectories  of  hybrid  automata.  To  link  hybrid  trajectories  with  automata,  we 
need  a  labeling  function  cr^H{i)  that  maps  each  step  i  in  the  hybrid  trajectory  to  an  appropriate 
discrete  mode  in  H,  and  make  sure  that  the  flow,  jump,  inv,  init  conditions  are  satisfied. 

Definition  6  (Trajectories  of  Hybrid  Automata).  Let  H  be  a  hybrid  automaton,  Tm  a  hybrid 
domain,  and  £  :  Tm  —y  X  a  hybrid  trajectory.  We  say  that  £  is  a  trajectory  of  H  of  discrete  depth 
m,  written  as  £  £  [if],  if  there  exists  a  labeling  function  a^u  '■  N  — »  Q  such  that: 

-  For  some  q  G  Q,  <7^(0)  =  q  and  Mjr  |=  initg(£ (0,  0)). 

-  For  any  (i,t)  G  Tm,  Mjf  |=  inv^  ff(i)(£(f,  £)). 

-  For  any  (■ i,t )  G  Tm, 

•  When  i  =  0,  Mj-  |=  flow9o(£(0,  0),  £(0,  t),  t). 

•  When  i  —  k  +  1,  where  0  <  k  +  1  <  m, 

Mj-  \=  flow<rH(ft+1)(£(A:  +  1  ,tk+1),£(k  +  1  ,t),  (t  -  tk+1)),and 

|=  jumpffeiH(fc)_,(Teifr(fc+1)(£(A:,  t’k),  £(A:  +  1, 4+i))- 

The  definition  is  straightforward.  In  each  mode,  the  system  flows  continuously  following  the  dy¬ 
namics  defined  by  flowf;.  Note  that  (t  —  tk)  is  the  actual  duration  in  the  k- th  mode.  When  a  switch 
between  two  modes  is  performed,  it  is  required  that  £(fc  +  1, 4+i)  is  updated  from  the  exit  value 
£(fc,  t'k )  in  the  previous  mode,  following  the  jump  conditions. 

Remark  1  (jump  vs  inv).  The  jump  conditions  specify  when  H  may  switch  to  another  mode.  The 
invariants  (when  violated)  specify  when  H  must  switch  to  another  mode.  They  will  require  different 
logical  encodings. 

Note  that  we  gave  no  restriction  on  the  formulas  that  can  be  used  for  describing  hybrid  automata 
in  Definition  4.  A  minimal  requirement  is  that  the  flow  predicates  should  define  continuous  trajec¬ 
tories  over  time,  namely: 

Definition  7  (Well-Defined  Flow  Predicates).  Let  flow(x,  y.  t )  be  a  flow  predicate  for  a  hybrid 
automaton  H.  We  say  the  flow  predicate  is  well-defined,  if  for  all  tuples  (a.  b.  r)  G  X(H)  x 
X 1(H)  x  M-°  such  that  M  |=  flowfa.  b.  r),  there  exists  a  continuous  function  q  :  [0,  r]  — »  X 
such  that  r/(0)  =  a,  i y(r)  =  b,  and  for  all  t'  G  [0,  r],  we  have  M  f=  flow(a,  rj(t),t).  We  say  H  is 
well-defined  if  all  its  flow  predicates  are  well-defined. 
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This  definition  requires  that  we  can  always  construct  a  trajectory  from  the  end  points  and  the  initial 
points  that  satisfy  a  flow  predicate.  Flows  that  are  defined  using  differential  equations,  differential 
inclusions,  and  explicit  continuous  mappings  all  satisfy  this  condition.  Thus,  from  now  on  our 
discussion  of  hybrid  automata  assume  their  well-definedness. 


2.3  5-Perturbations 

We  can  now  define  5-perturbations  on  hybrid  automata  directly  through  perturbations  on  the  logic 
formulas  in  their  -representations.  For  any  set  S  of  /^-formulas,  we  write  S5  to  denote  the 
set  containing  the  5 -perturbations  of  all  elements  of  S. 

Definition  8  (5-Weakening  of  Hybrid  Automata).  Let  5  e  Q+  U  {0}  be  arbitrary.  Suppose 

H  =  (. X ,  Q,  flow,  jump,  inv,  init) 

is  an  -  represen  tat  ion  of  hybrid  system  H.  The  5-  weakening  of  H  is 

H 5  =  (X,  Q,  flow5,  jump5,  inv5,  init5) 

which  is  obtained  by  weakening  all  formulas  in  the  re  presentations  of  H. 

Example  3.  The  5-weakening  of  the  bouncing  ball  automaton  is  obtained  by  weakening  the  for¬ 
mulas  in  its  description.  For  instance,  flow'^  (x0,  vQ,  xt ,  vt,  t )  is 

\xt-{x0+f  v(s)ds)\  <  5  A  \vt  -  (v0  +  f  g(l  -  (3v(s)2)ds))\  <  5 
Jo  Jo 

and  jump^d_s>(Jt((a:,  v,  x',  v')  is 


|x|  <  5  A  \v'  —  olv |  <  5  A  \x'  —  x\  <5. 

Remark  2.  It  is  important  to  note  that  the  notion  of  5-perturbations  is  a  purely  syntactic  one  (de¬ 
fined  on  the  description  of  hybrid  systems)  instead  of  a  semantic  one  (defined  on  the  trajecto¬ 
ries).  The  syntactic  perturbations  correspond  to  semantic  over- approximation  of  H  in  the  trajectory 
space. 

Proposition  1.  For  any  H  and  5  G  Q+  U  {0},  [if]  C  {H5J. 

Proof  Let  £  e  \H ]  be  any  trajectory  of  H.  Following  Definition  3,  for  any  £Rjr  sentence  <p,  we 
have  tp  — >  ips.  Since  £  satisfies  the  conditions  in  Definition  6,  after  replacing  each  formula  by  their 
5-weakening,  we  have  £  e  {H5J . 
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2.4  Reachability 

We  can  now  formally  state  the  reachability  problem  for  hybrid  automata  using  £Kjr -representations 
and  their  interpretations. 

Definition  9  (Reachability).  Let  H  be  an  n-dimensional  hybrid  automaton,  and  U  a  subset  of 
its  state  space  Q  x  A".  We  say  U  is  reachable  by  H,  if  there  exists  £  G  \H\such  that  there  exists 
(ft)  G  T(f)  satisfying  (<rj?(i),£(i,t))  G  U. 

The  bounded  reachability  problem  for  hybrid  systems  is  defined  by  restricting  the  continuous  time 
duration  to  a  bounded  interval,  and  the  number  of  discrete  transitions  to  a  finite  number. 

Definition  10  (Bounded  Reachability).  Let  H  be  an  n-dimensional  hybrid  automaton,  whose 
continuous  state  space  X  is  a  bounded  subset  of  ML.  Let  U  be  a  subset  of  its  state  space.  Set  k  £  N 
and  M  G  M-°.  The  (k,  M)-bounded  reachability  problem  asks  whether  there  exists  £  G  [77]  such 
that  there  exists  ( i ,  t)  G  T(£)  with  i  <  k,  t  —  ffi=o  f  where  L  <  M,  and  (cr^(i),  £(i,  £))  G  U. 

Remark  3.  By  “step”,  we  mean  the  number  of  discrete  jumps.  We  say  77  can  reach  U  in  k  steps,  if 
there  exists  £  G  [77]  that  contains  k  discrete  jumps,  which  consists  of  k  +  1  pieces  of  continuous 
flows  in  the  corresponding  discrete  modes. 

In  the  seminal  work  of  [4,3],  it  is  already  shown  that  the  bounded  reachability  problem  for 
simple  classes  of  hybrid  automata  is  undecidable.  The  goal  of  (^-complete  analysis  is  to  bypass 
much  of  this  difficulty. 

3  (^-Complete  Analysis  for  Bounded  Reachability 

3.1  Encoding  Bounded  Reachability  in  C  ^ 

We  now  define  the  -encoding  of  bounded  reachability.  The  encodings  are  standard  bounded 
model  checking,  and  have  been  studied  in  existing  work  but  without  the  generality  of  a  full  C^- 
language.  As  a  result,  some  issues  have  not  been  discovered.  For  example,  the  full  encoding  of 
non-deterministic  flows  with  invariant  conditions  require  second-order  quantification,  and  the  first- 
order  encoding  requires  additional  assumptions.  We  will  give  the  full  /^-encodings  and  discuss 
such  details. 

Notation  4  Let  H  be  a  hybrid  automaton.  We  use  unsafe  =  {unsafe^  :  q  G  Q}  as  the  Crj,- 
representation  of  an  unsafe  region  in  the  state  space  ofH.  We  can  write  [unsafe]  =  [unsafe,,]  x 
{<?}• 

First,  we  need  to  define  a  set  of  auxiliary  formulas  that  will  be  important  for  ensuring  that  a  partic¬ 
ular  mode  is  picked  at  a  certain  step. 

Definition  11.  Let  Q  =  {qi,  ...,qm}  be  a  set  of  modes.  For  any  q  G  Q,  and  i  G  N,  use  blq  to 
represent  a  Boolean  variable.  We  now  define 

enforceQ(g,f)  =  b\  A  j\ 
pe  Q\{<?1 
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enforceQ(g,  q' ,  i)  =  6*  A  -.6‘t1  A  /\  ~^blp  A  /\  -ibfi1 


pcQ\{g}  p'£Q\{q'} 


We  omit  the  subscript  Q  when  the  context  is  clear. 

The  use  of  the  auxiliary  of  formulas  will  be  explained  when  we  define  the  full  encodings  of 
bounded  reachability. 

Systems  with  no  invariants.  We  start  with  the  simplest  case  for  hybrid  automata  with  no  invariants. 
Naturally,  we  say  a  hybrid  automaton  H  is  invariant-free  if  in vq(H)  =  T  for  every  q  6  Q{H). 
We  define  the  following  formula  that  checks  whether  an  unsafe  region  is  reachable  after  exactly  k 
steps  of  discrete  transition  in  a  hybrid  system. 

Definition  12  (k- Step  Reachability,  Invariant-Free  Case).  Suppose  H  is  invariant-free,  and  U 
a  subset  of  its  state  space  represented  by  unsafe.  The  CpT-formula  Reach  fru(k,  M )  is  defined  as: 


qCQ 


Intuitively,  the  trajectories  start  with  some  initial  state  satisfying  initg(:r0)  for  some  q.  In  each  step, 
it  follows  flowg(jCj,  x\ ,  t)  and  makes  a  continuous  flow  from  x,  to  x\  after  time  t.  When  H  makes 
a  jump  from  mode  q'  to  q,  it  resets  variables  following  jumpg,^g(a;^,  Xk+i).  The  auxiliary  enforce 
formulas  ensure  that  picking  jumpg^.g,  in  the  i-the  step  enforces  picking  flowg  in  the  (/'  +  l)-th  step. 

Systems  with  invariants  and  deterministic  flows.  When  the  invariants  are  not  trivial,  we  need  to 
ensure  that  for  all  the  time  points  along  a  continuous  flow,  the  invariant  condition  holds.  Thus, 
we  need  to  universally  quantify  over  time.  This  is  a  fact  that  has  been  previously  discussed,  for 
instance,  in  [8].  However,  if  we  allow  nondeterministic  flows,  the  situation  is  more  complicated, 
which  has  not  been  discovered  in  existing  work.  We  give  the  encoding  for  systems  with  only 
deterministic  flows  first,  as  follows: 

Definition  13  (k- Step  Reachability,  Nontrivial  Invariant  and  Deterministic  Flow).  Suppose  H 
contains  invariants  and  only  deterministic  flow  ,  and  U  a  subset  of  its  state  space  represented  by 
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unsafe.  In  this  case,  the  C^-formula  Reach ujjik.  M )  is  defined  as: 

3xxo3xxl  ■  ■  ■  3xxk3xxtk3[0’M]t0  ■  ■  ■  3 [0'M]tk. 

V  (^init<?(£c0)  A  flowg(£C0,  *o,  to)  A  enforce(g,  0) 

q£Q 

AW^,toh\/x x  (f\o\Nq(x0,x,t)  -A  invg(aj))j 

k—  1  / 

A  A(  V  (jumPg->9'(*i>a;<+i)  Aflowg/(aji+i,a;|+1,ti+i)  A  enforce^,  g',i) 

*=0  'q,q'£Q 

Aenfo rce(q',i  +  1)  a  \/[0,ti+1W'Ycc  (flow qi(xi+i,x,t)  — s-  inv?/(a;)))j 
A  \j  (unsafeg(a4)  A  enforce^,  k )). 

q£Q 

The  extra  universal  quantifier  for  each  continuous  flow  expresses  the  requirement  that  for  all  the 
time  points  between  the  initial  and  ending  time  point  ( t  G  |0.  t,  +  1])  in  a  flow,  the  continuous 
variables  x  must  take  values  that  satisfy  the  invariant  conditions  invg(a3). 

Systems  with  invariants  and  nondeterministic  flows.  In  the  most  general  case,  a  hybrid  system  can 
contain  non-deterministic  flow:  i.e.,  for  some  q  G  Q,  there  exists  a0,  at,  a't  G  Mn  and  t  G  M  such 
that  at  a[  and  M  \=  flowf/(a0,  atl  t)  and  M  |=  flowg(a0,  a't,  t).  Consequently,  there  is  multiple 
possible  values  for  the  continuous  variable  for  each  time  point.  Different  values  correspond  to 
different  trajectories,  and  we  only  look  for  one  of  the  trajectories  that  satisfies  the  invariant  on  all 
time  points.  Thus,  we  need  to  quantify  over  a  trajectory  and  write  inv(£(£)).  We  conjecture 

that,  in  general,  this  second-order  quantification  can  not  be  fully  reduced  to  a  first-order  expression. 

In  practice,  the  discussion  of  the  invariant  conditions  in  the  existing  work  has  (implicitly)  as¬ 
sumed  that  the  invariant  condition  should  hold  for  all  possible  trajectories  in  the  case  of  non¬ 
deterministic  flow.  We  can  formulate  this  assumption  in  the  following  way: 

Definition  14  (Strictly-Imposed  Invariants).  We  say  a  hybrid  automaton  H  has  strictly-imposed 
mode  invariants,  if  the  following  condition  holds.  Let  flowg(cc,  y,  t)  and  \mq{x)  be  the  flow  and 
invariant  conditions  in  any  mode  q  of  H.  Let  a  be  an  arbitrary  starting  point  in  the  mode,  satisfying 
inv(a).  Then,  for  any  b ,  b'  G  X 1(H)  such  that  flow(a,  b ,  r)  and  flow(a,  bl ,  r)  are  true  at  the  same 
time  point  r  G  I,  we  have  invg(b)  iff\rwq(br). 

If  this  condition  is  true,  then  a  witness  trajectory  of  bounded  reachability  has  to  require  that  all 
flows  satisfy  the  same  invariants.  Consequently,  we  can  still  use  the  encoding  in  Definition  13, 
which  requires  that  all  possible  flows  satisfy  the  invariants.  Thus,  when  this  condition  applies,  we 
can  still  use  first-order  encoding  for  reachability  in  the  presence  of  non-deterministic  flows. 

3.2  ^-Complete  Analysis  of  Bounded  Reachability 

We  now  define  the  ((-complete  analysis  problem  and  prove  its  decidability. 
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Definition  15.  Let  H  be  a  hybrid  system  and  U  a  subset  of  its  state  space.  Suppose  U  is  represented 
by  the  C^-formula  unsafe.  Let  k  £  N  and  M  €  M+.  The  () -complete  analysis  for  (k,  M) -bounded 
reachability  problem  asks  for  one  of  the  following  answers: 

-  (k,  m) -Safety:  H  does  not  reach  [[unsafe]]  within  the  (k.  M)-bound. 

-  6 -Unsafety:  Hs  reaches  [unsafe5]  within  the  (. k ,  M)-bound. 

The  following  lemma  comes  from  the  intuitive  meaning  of  the  encodings.  A  proof  is  given  in  the 
appendix. 

Lemma  1.  Let  5  £  Q+  U  {0}  be  arbitrary.  Suppose  H  is  a  well-defined  hybrid  automaton  with 
strictly-imposed  invariants.  Let  U  a  subset  of  the  state  space  of  H,  represented  by  the  set  unsafe 
of  Cf  T- formulas.  Let  Reach H,u(k,  M)  be  the  -formula  encoding  (. k ,  M)-bounded  reachability 
of  H  with  respect  to  U.  We  always  have  that  M.  |=  (Reach  H,u(k,  M))5  iff  there  exists  a  trajectory 
£  £  [f/5]  such  that  for  some  ( k,t )  £  T(£),  where  0  <t  <  M,  (f(k,t),o^(k))  £  [unsafe5]. 

Now  we  can  show  that  5-complete  analysis  for  bounded  reachability  problems  is  decidable  for 
general  £Rjf -representable  hybrid  systems. 

Theorem  5  (Decidability).  Let  6  £  Q+  be  arbitrary.  There  exists  an  algorithm  such  that,  for  any 
bounded  well-defined  hybrid  automaton  C^-represented  by  H  with  strictly  imposed  invariants, 
and  any  unsafe  region  U  C,^T- rep  resented  by  unsafe,  correctly  performs  S-complete  analysis  for 
(k,  M)-bounded  reachability  for  H,for  any  k  £  N,  M  £  M+. 

Proof.  We  need  to  show  that  there  is  an  algorithm  that  correctly  returns  one  of  the  following: 

-  H  does  not  reach  [unsafe]  within  the  (k,  M)-bound. 

-  Hs  reaches  [unsafe5]  within  the  (k,  M)-bound. 

To  do  this,  we  only  need  to  solve  the  5-decision  problem  of  Reach H,u(f  M)  for  0  <  i  <  k.  We 
obtain  either  Reach#^?,  M)  is  false  for  all  such  i,  or  is  5- true  for  some  i,  then: 

-  Suppose  Reach H,u(h  M)  is  false  for  all  i.  Then  we  know  that  for  any  i  <  k.  Reach H,u(h  M)  is 
false.  Using  Lemma  1  for  the  special  case  5  =  0,  we  know  that  there  does  not  exist  a  trajectory 
£  £  [//]  that  can  reach  U  within  i  steps,  and  consequently  the  system  is  safe  within  the  (k,  M )- 
bound. 

-  Suppose  Reach H>u(i,M)  is  5-true  for  some  i.  We  know  that  there  exists  i  <  k  such  that 

Reach sHU(i,M)  is  true.  Using  Lemma  1  for  S  £  Q+,  we  know  that  there  exists  a  trajectory 
£  £  [ H 5]  that  can  reach  the  region  represented  by  unsafe5  in  f-steps,  i.e.,  within  the  (k,  M)- 
bound.  □ 

From  the  structures  of  the  -formulas  encoding  5-reachability,  we  can  obtain  the  following 
complexity  results  of  the  reachability  problems. 

Theorem  6  (Complexity).  Suppose  all  the  -terms  in  the  description  of  H  and  U  are  in  com¬ 
plexity  class  C.  Then  deciding  the  (k,  M)-bounded  5 -reachability  problem  is  in 

-  NPC  for  an  invariant-free  H ; 
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-  (Z’;f)c/or  an  H  with  strictly-imposed  nontrivial  invariants. 


Corollary  1.  For  linear  and  polynomial  hybrid  automata,  S-complete  bounded  reachability  anal¬ 
ysis  ranges  from  being  HP -complete  to  Zj  -complete  for  the  three  cases.  For  hybrid  automata  that 
can  be  C.±T- rep  resented  with  whose  T  contains  the  set  ofODEs  defined  P -computable  right-hand 
side  functions,  the  problem  is  PS  PACE -complete. 


The  results  come  from  the  fact  that  the  complexity  of  polynomials  is  in  P,  and  the  set  of  ODEs  in 
questions  are  PS  PACE-complete. 

Remark  4.  The  complexity  results  indicate  that  the  worst-case  running  time  of  the  analysis  is  expo¬ 
nential  in  all  the  input  parameters.  In  particular,  the  worst-case  running  time  grows  exponentially 
with  the  5  and  the  size  of  the  domains.  We  need  to  use  efficient  decision  procedures  to  manage  this 
complexity. 


4  Experiments 

Our  tool  d Reach  implements  the  techniques  presented  in  the  paper.  The  tool  is  built  on  several 
existing  packages, including  opensmt  [6]  for  the  general  DPLL(T)  framework,  realpaver  [16] 
for  ICP,  and  CAPD  [1]  for  computing  interval-enclosures  of  ODEs.  The  tool  is  open-source 
at  http  :  /  /dreal .  cs  .  emu .  edu/ dreach  .  html.  All  benchmarks  and  data  shown  here  are 
also  available  on  the  tool  website. All  experiments  were  conducted  on  a  machine  with  a  3.4GHz 
octa-core  Intel  Core  i7-2600  processor  and  16GB  RAM,  running  64-bit  Ubuntu  12.04LTS.  Table  1 
is  a  summary  of  the  running  time  of  the  tool  on  various  hybrid  system  models  which  we  explain 
below. 


Atrial  Fibrillation.  We  studied  the  Atrial  Fibrillation  model  as  developed  in  [17].  The  model  has 
four  discrete  control  locations,  four  state  variables,  and  nonlinear  ODEs.  A  typical  set  of  ODEs  in 
the  model  is: 


du 

dt 

ds 

dt 

dv 

dt 


=  e  +  (u  -  9v)(uu  -  u)vgfi  +  wsgs 

fjs'2 


(1  +  exp(— 2  k(u  —  ms))) 
dw 


—  9s2S 


=  ~9v  ■ v 


dt 


=  ~9w  ■ w 


9so(u) 


The  exponential  term  on  the  right-hand  side  of  the  ODE  is  the  sigmoid  function,  which  often 
appears  in  modelling  biological  switches. 
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Prostate  Cancer  Treatment.  The  Prostate  Cancer  Treatment  model  [23]  exhibits  more  nonlinear 
ODEs.  The  reachability  questions  are 


dx 

dt 

dy_ 

dt 

dz 

dt 

dv 

dt 


z  z  z 

(ax(ki  +  (1  -  fci) — — - f}x((l  -  k3) — P—  +  k3))  -  mi(l  -  —))x  +  c±x 

z  +  k2  z  +  fc4  z0 

z  z 

mi(l  -  —)x  +  (ay(  1  -  d—)  -  /3y)y  +  c2y 
Zo  z0 

—z 

- h  C3z 

T 

(ax(ki  +  (1  -  ki)^— - fdx{k3  +  (1  -  k3)  *  )) 

Z  rC  2  Z  ~r  rC  4 

Z  Z  Z 

— mi(l - ))x  +  cix  +  mi(l  -  —)x  +  (ay{l  -  d—)  -  (3y)y  +  c2y 

Zq  Z  0  ^0 


Electronic  Oscillator.  The  EO  model  represents  an  electronic  oscillator  model  that  contains  non¬ 
linear  ODEs  such  as  the  following: 


dx 

dt 

dy_ 

dt 

dz 

dt 

CCl 

dt 


—ax  ■  sin(uii  •  r) 

—ay  ■  sin((uji  +  Ci)  •  r)  • 
—az  ■  sin((ui2  +  c2)  •  r)  ■ 


-c3  •  Wi 


cu2 

(if 


— C4  •  UJ2 


sm(uj2) 

COs(iOi) 


2 

2 


Quadcopter  Control.  We  developed  a  model  that  contains  the  full  dynamics  of  a  quadcopter.  We 
use  the  model  to  solve  control  problems  by  answering  reachability  questions.  A  typical  set  of  the 
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differential  equations  are  the  following: 

dc ox 


L  •  k  •  OJ  f)  {\ / 1 Xx)  (J-yy  k zz^0Jyijj z / Ix 

L  •  k  (a^2  ^4) (X/Iyy)  if zz  kxxfujxujz/ Iy 


d  t 

dUy 

d  t 

dc+ 

dt 
dcf) 

dt  (  sinQ)2  cos(g) 


b  •  ((+  0^2  +  CU3  OJ f){\ / 1 zz)  (I xx  Iyy)^xbJy / IZ 


sin  (0)  sin  ( 9 ) 


-UJV  + 


sin  ( 9 ) 


+  cos(0)cos(0)J  cos(0)  V  smitl^)ie)  +  cos  (0)  cos  i9) 


UJZ 


dd 

dt 


sin  (</>)2  cos  ( 6 ) 


+ 


sm{tL^){d) uy +  cos  (0) cos  (0))  cos  (^)2  cos  ^ 

sin  (0)  cos  (0) 


UJij 


dip 

dt 

dxp 

dt 

dyp 

dt 

dzp 

dt 

dx 


sin  (</>) 


“°l(c;),(‘>)+<=osw°osw)^w 

1 


-ce. 


-UJy  + 


"  ™!4g=M  +  coSWcoS(9) 


+  cos  (0)  cos  («))  cos  (0) 

=  (l/m)(sin(0)  sin(-0)A;(a;2  +  l>j\  +  cug  +  ce2)  —  k  ■  d  -  xp) 

=  (l/m)(—  cos(ip)  sin (6>)fc(u;2  +  ce2  +  cu2  +  ce2)  —  k  ■  d  ■  yp) 
=  (1  /m)(—g  —  cos(9)k(ujl  +  ce2  +  w2  +  ce2)  —  k  ■  d  ■  zp 


(jOz 


dy 


d^ 


dt=^¥  =  ttP’df  =2fp 


Room  for  Improvements.  We  aim  to  provide  an  open-source  framework  that  allows  much  more 
optimization.  In  particular,  while  we  can  solve  highly  nonlinear  models  that  are  beyond  the  scope 
of  other  existing  tools,  there  are  simpler  examples  that  other  tools  perform  better.  For  instance,  the 
Flow*  tool  [7]  can  efficiently  compute  a  tight  enclosure  of  the  following  system,  while  our  tool 
does  not  terminate  in  reasonable  time: 

dx/dt  =  -90  -  2)  -  7 (y  +  2)  +  (z  «  1)  +  0.20  -  2)(y  +  2) 

+0.1(7/  +  2)0  -  1)  +  0.10  -  2)0  -  1)  +  0.50  -  !)2 

dy/dt  =  60  —  2)  +  4(y  +  2)  +  z  —  1 

dz/dt  =  30  -  2)  +  2(7/  +  2)  -  2.50  -  1) 

The  reason  is  that  the  CAPD  package  that  we  use  for  verified  integration  of  ODE  blows  up  on 
this  set  of  equations.  However,  our  framework  can  integrate  any  reachable  set  computation  tool, 
in  replace  of  CAPD,  for  computing  pruning  on  continuous  flows.  We  remark  on  this  in  the  next 
section. 
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Benchmark 

#Mode 

#Depth 

#ODEs 

#Vars 

Delta 

Result 

Time(s) 

Trace 

AF-GOOD 

4 

3 

20 

53 

0.001 

SAT 

0.425 

793K 

AF-BAD 

4 

3 

20 

53 

0.001 

UNSAT 

0.074 

— 

AF-TOl-GOOD 

4 

3 

24 

62 

0.001 

SAT 

2.750 

224K 

AF-TOl-BAD 

4 

3 

24 

62 

0.001 

UNSAT 

5.189 

— 

AF-T02-G00D 

4 

3 

24 

62 

0.005 

SAT 

3.876 

553K 

AF-TO2-BAD 

4 

3 

24 

62 

0.001 

UNSAT 

8.857 

— 

AF-TS01-TS02 

4 

3 

24 

62 

0.001 

UNSAT 

0.027 

— 

AF8-K7 

8 

7 

40 

101 

0.001 

SAT 

10.478 

3.8M 

AF8-K23 

8 

23 

40 

293 

0.001 

SAT 

135.29 

11M 

EO-K2 

3 

2 

18 

48 

0.01 

SAT 

3.144 

1.9M 

EO-K11 

3 

11 

99 

174 

0.01 

UNSAT 

0.969 

— 

QUAD-K1 

2 

1 

34 

89 

0.01 

SAT 

2.386 

10M 

QUAD-K2 

2 

2 

34 

125 

0.01 

SAT 

4.971 

13M 

QUAD-K3 

4 

3 

68 

161 

0.01 

SAT 

13.755 

42M 

QUAD-K3U 

4 

3 

68 

161 

0.01 

UNSAT 

2.846 

— 

CT 

2 

2 

10 

41 

0.005 

SAT 

345.84 

3.1M 

CT 

2 

2 

10 

41 

0.002 

SAT 

362.84 

3.1M 

BB-K10 

2 

10 

22 

66 

0.01 

SAT 

8.057 

123K 

BB-K20 

2 

20 

42 

126 

0.01 

SAT 

39.196 

171K 

Table  1 :  #Mode  =  Number  of  modes  in  the  hybrid  system,  #Depth  =  Unrolling  depth,  #ODEs  =  Number  of  ODEs  in  the  unrolled 
formula,  #Vars  =  Number  of  variables  in  the  unrolled  formula.  Result  =  Bounded  Model  Checking  Result  (delta-SAT/UNSAT)  Time 
=  CPU  time  (s).  Trace  =  Size  of  the  ODE  trajectory,  AF  =  Atrial  Filbrillation,  EO  =  Electronic  Oscillator,  QUAD  =  Quadcopter 
Control,  CT  =  Cancer  Treatment,  BB  =  Bouncing  Ball  with  Drag. 


5  Discussion 

Reachable  set  computation,  which  computes  geometric  representations  of  the  complete  set  of 
reachable  states,  is  the  mainstream  approach  for  analyzing  bounded  reachability  of  hybrid  sys¬ 
tems.  The  techniques  can  have  difficulty  in  scaling  on  systems  with  very  complex  dynamics  and 
discrete  transitions.  Bounded  model  checking  has  the  advantage  of  focusing  the  search  for  one 
counterexample,  and  does  not  maintain  the  complete  set  of  reachable  states.  With  fast  SAT/SMT 
solvers,  bounded  model  checking  techniques  can  natively  handle  the  discrete  components  in  hybrid 
systems.  Bounded  model  checking  requires  a  very  powerful  solver,  one  that  can  handle  ODEs  and 
nested  quantifiers.  We  have  proved  that  the  complexity  of  bounded  <5 -reachability  is  comparable  to 
SAT  solving,  and  it  is  reasonable  to  expect  that  with  more  improvement  on  the  solver,  large  real¬ 
istic  systems  can  eventually  be  handled  in  practice.  Note  again  that  all  the  techniques  in  reachable 
set  computation  can  be  directly  used  in  logic  solvers,  and  it  is  possible  to  have  practical  tools  that 
combine  the  advantages  of  both  approaches. 

6  Conclusion 

We  developed  the  framework  of  ^-complete  analysis  for  bounded  reachability  of  a  wide  range  of 
hybrid  systems.  5-Complete  reachability  analysis  reduces  verification  problems  to  5-decision  prob¬ 
lems  of  formulas  over  the  reals.  It  follows  from  5-decidability  of  these  formulas  that  5-complete 
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(b)  Atrial  Fibrillation 


(c)  Electronic  Oscillator 


Fig.  1:  Example  trajectories  computed  for  the  following  models:  (a)  Quadcopter  Control,  (b)  Atrial 
Fibrillation,  (c)  Electronic  Oscillator. 


reachability  analysis  of  a  wide  range  of  nonlinear  hybrid  systems  is  decidable.  In  practice,  5- 
reachability  problems  are  solved  through  reduction  to  5-decision  problems  for  first-order  formulas 
over  the  reals.  We  demonstrated  the  scalability  of  our  approach  on  highly  nonlinear  hybrid  sys¬ 
tems. 
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Appendix 

Proof  of  Lemma  1. 

Proof  We  prove  for  the  case  with  nontrivial  invariants.  We  work  with  the  unperturbed  encoding, 
which  easily  applies  to  the  ^-perturbed  version.  We  will  need  to  do  induction  on  the  subformula  of 
Reach// [/  that  does  not  contain  the  unsafe  conditions.  For  reasons  that  will  be  made  clear  below, 
we  split  the  formula  Reach// ,u(k,M)  'nt0  two  parts  and  write  it  as  the  conjunction  traj  (k,M)  A 
unsafe(fc),  where  unsafe(fc)  is  \/(?gg(unsafe9(cc^)  A  enforce(g,  k)). 

Suppose  M.  1=  Reach//, u(k,  M).  We  do  induction  on  k  to  prove  that  there  exists  a  trajectory 
£  G  [if]  that  contains  k  mode  changes.  When  k  —  0,  without  loss  of  generality  we  pick  an 
arbitrary  starting  mode  q,  such  that  the  t raj  (7c,  M)  part  of  the  formula  can  be  simplified  as 

3X x03x ^init(?(£C0)  A  flowg(a?o,  xfQ,  to)  A  enforce(g,  0) 

AV^0,t°kVxx  (flow9(a30,  x,  t)  — »  inv9(cc))). 

Since  the  formula  is  true,  there  exists  witnesses  a,  a1,  r  such  that  the  quantifier-free  part  is  satisfied. 
By  well-definedness  of  flow9  there  exists  a  trajectory  £  from  a0  to  a 4  such  that  for  any  0  <  r'  <  r, 
£(r)  satisfies  the  invariant  condition.  Now,  suppose  k  —  (k  -**  1)  +  1  {k  >  1)  and  by  inductive 
hypothesis  there  exists  a  trajectory  £'  G  [77]  with  k  —  1  mode  changes.  We  now  extend  £'  with  one 
more  mode  change.  Let  traj  (7c  —  1,  M)  be  the  part  of  Reach H,u){k  —  1,  M),  and  thus  traj  (A:,  M) 
can  be  written  as 

3xk3xx{3V’Mhk 

traj  (k  —  1,  M)  A  V  (Jum  p q^gfxl^,  xk)  A  flow9/(*fc,  x\,  tk) 

q,q'£Q 

Aenforce(g,  q',i)  A\/^°’tkh\/x x  (f\o\Nqi(xk,x,t)  -A  invg/(a;)))  A  enforce(g',  k) j 

Note  that  x0, ...,  xlk_l  are  quantified  variables  in  traj (7;:  —  1,  M).  Since  the  formula  is  true,  there 
exists  ak,  a[.  rk  that  witness  the  satisfiability  of  the  quantifier-free  part  of  the  formula  outside  of 
traj  (A;  —  1,  M).  Now,  we  extend  £'  e  [77]  in  the  following  way.  Let  the  last  state  of  £'  be  given 
by  a\_ i-  Following  the  formula,  we  have  that  jump1^(?,(aj,_1,  ak)  satisfies  the  jumping  condition 
between  mode  q  and  q'.  It  is  then  followed  by  a  continuous  trajectory  that  starts  from  ak  and  ends 
at  a\,  satisfying  flow(afc,  a\,  rk).  Thus,  there  exists  a  trajectory  £  e  [77]  with  k  mode  changes. 
Thus,  for  all  k  there  exists  a  trajectory  £  e  [77]  such  that  for  some  (k,  t)  G  T(£),  £(fc,  f),  <J^(k)  G 
[unsafe]. 

The  reverse  direction  is  easy.  Suppose  there  exists  a  trajectory  £  G  [77]  such  that  for  some 
(k,  t )  G  T(£),  £(fc,  t),  a^(k)  G  [unsafe],  then  the  start  and  end  points  in  each  piece  of  the  continu¬ 
ous  trajectories  witness  the  formula  Reach H,u(k,  M ).  □ 
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